[PATCH libnftnl 1/3] nat: add support for shifted port-ranges

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Support for shifted port-ranges in DNAT was added to iptables in 2018.
This allows one to redirect packets intended for one port to another in
a range in such a way that the new port chosen has the same offset in
the range as the original port had from a specified base value.

For example, by using the base value 2000, one could redirect packets
intended for 10.0.0.1:2000-3000 to 10.10.0.1:12000-13000 so that the old
and new ports were at the same offset in their respective ranges, i.e.:

  10.0.0.1:2345 -> 10.10.0.1:12345

However, while support for this was added to the common NAT infra-
structure in the kernel, only the xt_nat module was updated to make use
of it.  This support has now also been added to the nft_nat module, so
make it available in user space.

In contrast to iptables, where shifting is only available for DNAT, both
DNAT and SNAT are supported.

Signed-off-by: Jeremy Sowden <jeremy@xxxxxxxxxx>
---
 include/libnftnl/expr.h             |  1 +
 include/linux/netfilter/nf_tables.h |  2 ++
 src/expr/nat.c                      | 22 ++++++++++++++++++++++
 tests/nft-expr_nat-test.c           |  4 ++++
 4 files changed, 29 insertions(+)

diff --git a/include/libnftnl/expr.h b/include/libnftnl/expr.h
index 9873228dd794..e118a57d4769 100644
--- a/include/libnftnl/expr.h
+++ b/include/libnftnl/expr.h
@@ -150,6 +150,7 @@ enum {
 	NFTNL_EXPR_NAT_REG_PROTO_MIN,
 	NFTNL_EXPR_NAT_REG_PROTO_MAX,
 	NFTNL_EXPR_NAT_FLAGS,
+	NFTNL_EXPR_NAT_REG_PROTO_BASE,
 };
 
 enum {
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 4608646f2103..5c7a47ac8746 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1415,6 +1415,7 @@ enum nft_nat_types {
  * @NFTA_NAT_REG_PROTO_MIN: source register of proto range start (NLA_U32: nft_registers)
  * @NFTA_NAT_REG_PROTO_MAX: source register of proto range end (NLA_U32: nft_registers)
  * @NFTA_NAT_FLAGS: NAT flags (see NF_NAT_RANGE_* in linux/netfilter/nf_nat.h) (NLA_U32)
+ * @NFTA_NAT_REG_PROTO_BASE: source register of proto range base offset (NLA_U32: nft_registers)
  */
 enum nft_nat_attributes {
 	NFTA_NAT_UNSPEC,
@@ -1425,6 +1426,7 @@ enum nft_nat_attributes {
 	NFTA_NAT_REG_PROTO_MIN,
 	NFTA_NAT_REG_PROTO_MAX,
 	NFTA_NAT_FLAGS,
+	NFTA_NAT_REG_PROTO_BASE,
 	__NFTA_NAT_MAX
 };
 #define NFTA_NAT_MAX		(__NFTA_NAT_MAX - 1)
diff --git a/src/expr/nat.c b/src/expr/nat.c
index ca727be0cda6..6d304870d419 100644
--- a/src/expr/nat.c
+++ b/src/expr/nat.c
@@ -29,6 +29,7 @@ struct nftnl_expr_nat {
 	enum nft_registers sreg_addr_max;
 	enum nft_registers sreg_proto_min;
 	enum nft_registers sreg_proto_max;
+	enum nft_registers sreg_proto_base;
 	int                family;
 	enum nft_nat_types type;
 	uint32_t	   flags;
@@ -59,6 +60,9 @@ nftnl_expr_nat_set(struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_NAT_REG_PROTO_MAX:
 		memcpy(&nat->sreg_proto_max, data, sizeof(nat->sreg_proto_max));
 		break;
+	case NFTNL_EXPR_NAT_REG_PROTO_BASE:
+		memcpy(&nat->sreg_proto_base, data, sizeof(nat->sreg_proto_base));
+		break;
 	case NFTNL_EXPR_NAT_FLAGS:
 		memcpy(&nat->flags, data, sizeof(nat->flags));
 		break;
@@ -94,6 +98,9 @@ nftnl_expr_nat_get(const struct nftnl_expr *e, uint16_t type,
 	case NFTNL_EXPR_NAT_REG_PROTO_MAX:
 		*data_len = sizeof(nat->sreg_proto_max);
 		return &nat->sreg_proto_max;
+	case NFTNL_EXPR_NAT_REG_PROTO_BASE:
+		*data_len = sizeof(nat->sreg_proto_base);
+		return &nat->sreg_proto_base;
 	case NFTNL_EXPR_NAT_FLAGS:
 		*data_len = sizeof(nat->flags);
 		return &nat->flags;
@@ -116,6 +123,7 @@ static int nftnl_expr_nat_cb(const struct nlattr *attr, void *data)
 	case NFTA_NAT_REG_ADDR_MAX:
 	case NFTA_NAT_REG_PROTO_MIN:
 	case NFTA_NAT_REG_PROTO_MAX:
+	case NFTA_NAT_REG_PROTO_BASE:
 	case NFTA_NAT_FLAGS:
 		if (mnl_attr_validate(attr, MNL_TYPE_U32) < 0)
 			abi_breakage();
@@ -163,6 +171,11 @@ nftnl_expr_nat_parse(struct nftnl_expr *e, struct nlattr *attr)
 			ntohl(mnl_attr_get_u32(tb[NFTA_NAT_REG_PROTO_MAX]));
 		e->flags |= (1 << NFTNL_EXPR_NAT_REG_PROTO_MAX);
 	}
+	if (tb[NFTA_NAT_REG_PROTO_BASE]) {
+		nat->sreg_proto_base =
+			ntohl(mnl_attr_get_u32(tb[NFTA_NAT_REG_PROTO_BASE]));
+		e->flags |= (1 << NFTNL_EXPR_NAT_REG_PROTO_BASE);
+	}
 	if (tb[NFTA_NAT_FLAGS]) {
 		nat->flags = ntohl(mnl_attr_get_u32(tb[NFTA_NAT_FLAGS]));
 		e->flags |= (1 << NFTNL_EXPR_NAT_FLAGS);
@@ -192,6 +205,9 @@ nftnl_expr_nat_build(struct nlmsghdr *nlh, const struct nftnl_expr *e)
 	if (e->flags & (1 << NFTNL_EXPR_NAT_REG_PROTO_MAX))
 		mnl_attr_put_u32(nlh, NFTA_NAT_REG_PROTO_MAX,
 				 htonl(nat->sreg_proto_max));
+	if (e->flags & (1 << NFTNL_EXPR_NAT_REG_PROTO_BASE))
+		mnl_attr_put_u32(nlh, NFTA_NAT_REG_PROTO_BASE,
+				 htonl(nat->sreg_proto_base));
 	if (e->flags & (1 << NFTNL_EXPR_NAT_FLAGS))
 		mnl_attr_put_u32(nlh, NFTA_NAT_FLAGS, htonl(nat->flags));
 }
@@ -258,6 +274,12 @@ nftnl_expr_nat_snprintf(char *buf, size_t remain,
 		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
 	}
 
+	if (e->flags & (1 << NFTNL_EXPR_NAT_REG_PROTO_BASE)) {
+		ret = snprintf(buf + offset, remain,
+			       "proto_base reg %u ", nat->sreg_proto_base);
+		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
+	}
+
 	if (e->flags & (1 << NFTNL_EXPR_NAT_FLAGS)) {
 		ret = snprintf(buf + offset, remain, "flags 0x%x ", nat->flags);
 		SNPRINTF_BUFFER_SIZE(ret, remain, offset);
diff --git a/tests/nft-expr_nat-test.c b/tests/nft-expr_nat-test.c
index 3a365dd307c2..1204c4b7be62 100644
--- a/tests/nft-expr_nat-test.c
+++ b/tests/nft-expr_nat-test.c
@@ -49,6 +49,9 @@ static void cmp_nftnl_expr(struct nftnl_expr *rule_a,
 	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_NAT_REG_PROTO_MAX) !=
 	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_NAT_REG_PROTO_MAX))
 		print_err("Expr NFTNL_EXPR_NAT_REG_PROTO_MAX mismatches");
+	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_NAT_REG_PROTO_BASE) !=
+	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_NAT_REG_PROTO_BASE))
+		print_err("Expr NFTNL_EXPR_NAT_REG_PROTO_BASE mismatches");
 	if (nftnl_expr_get_u32(rule_a, NFTNL_EXPR_NAT_FLAGS) !=
 	    nftnl_expr_get_u32(rule_b, NFTNL_EXPR_NAT_FLAGS))
 		print_err("Expr NFTNL_EXPR_NAT_FLAGS mismatches");
@@ -77,6 +80,7 @@ int main(int argc, char *argv[])
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_ADDR_MAX, 0x5134682);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_PROTO_MIN, 0x6124385);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_PROTO_MAX, 0x2153846);
+	nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_REG_PROTO_BASE, 0xbf3c0fbf);
 	nftnl_expr_set_u32(ex, NFTNL_EXPR_NAT_FLAGS, 0x4213683);
 
 	nftnl_rule_add_expr(a, ex);
-- 
2.39.2
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux